Fix SSRF (Server Side Request Forgery) in Remix

SSRF in Remix occurs when server-side functions like loaders or actions accept user-controlled URLs and pass them to network-requesting sinks (like fetch) without validation. In a Remix context, this usually exposes internal microservices or cloud metadata services (e.g., 169.254.169.254) because the request originates from the trusted server environment rather than the client browser.

The Vulnerable Pattern

export async function loader({ request }) {
  const url = new URL(request.url).searchParams.get("proxyUrl");
  // VULNERABLE: Direct sink for user input without validation
  const response = await fetch(url);
  return response.json();
}

The Secure Implementation

The secure implementation mitigates SSRF by moving from a 'trust-all' approach to a 'deny-by-default' stance. First, it parses the input using the URL constructor to prevent simple bypasses. Second, it enforces the HTTPS protocol to prevent usage of file://, gopher://, or http:// schemes. Third, it implements a strict hostname allow-list. For production-grade security, researchers should also implement DNS resolution checks to ensure the target IP does not resolve to private ranges (RFC 1918) to prevent DNS rebinding attacks.

const ALLOWED_HOSTS = ["api.trusted.com", "cdn.internal.org"];
export async function loader({ request }) {
const urlString = new URL(request.url).searchParams.get(“proxyUrl”);
if (!urlString) throw new Response(“Missing URL”, { status: 400 });
try {
const targetUrl = new URL(urlString);
// 1. Enforce Protocol
if (targetUrl.protocol !== "https:") {
  throw new Error("Insecure protocol");
}

// 2. Strict Allow-listing of hostnames
if (!ALLOWED_HOSTS.includes(targetUrl.hostname)) {
  throw new Error("Disallowed target");
}

const response = await fetch(targetUrl.toString());
return response.json();
} catch (e) {
throw new Response(“Access Denied”, { status: 403 });
}
}